- A Federal Trade Commission (FTC) final order was recently approved, finalizing the FTC complaint against health data privacy concerns with Practice Fusion.
The cloud-based EHR company had agreed to a settlement with the FTC in June 2016, over allegations that it misled consumers and created potential security concerns with consumer health information.
The FTC alleged that Practice Fusion had misled consumers in how their information would be used. To create a provider directory, Practice Fusion sent emails to patients asking for doctor reviews. However, Practice Fusion reportedly did not properly disclose to consumers that those reviews they would post about their doctors would be posted online.
“The proposed consent agreement protects consumers’ online privacy by prohibiting Practice Fusion from misrepresenting the extent to which it uses, maintains, and protects the privacy and confidentiality of any covered information, including the extent to which covered information shall be made publicly available,” FTC Secretary Donald Clark explained in a letter. “In addition, the proposed consent agreement prohibits Practice Fusion from posting online any individually identifiable information from a consumer unless Practice Fusion obtains the consumer’s affirmative express consent.”
If Practice Fusion violates the final order, it will be liable for civil penalties of up to $40,000 per violation.
The agreement also states that Practice Fusion must also be sure to clarify how it intends to potentially use any information that customers should provide.
“...the extent to which Respondent uses, maintains, and protects the privacy and confidentiality of any covered information, including: the extent to which covered information shall be made publicly available, including by posting on the Internet,” the agreement says.
One of the ways that Practice Fusion was allegedly unclear in its handling of patient data was in the review form that individuals had to fill out. While going through the form, individuals were required to check the box next to the phrase, “I agree to the terms of the Patient Authorization,” in order to submit their feedback. However, viewing the actual Patient Authorization was not required.
This case should be an example to healthcare organizations in how to not only maintain patient data privacy, but to be forthcoming in how that data might potentially be used and disclosed.
The HIPAA Privacy Rule states that health plans and healthcare providers need to have a notice of privacy practices (NPP). This explains to patients how their PHI is going to be used and disclosed at a particular organization. It also highlights what the individual patient privacy rights are.
“The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information,” HHS explains. “Most covered entities must develop and provide individuals with this notice of their privacy practices.”
The following information must be included in an NPP, according to HHS:
- How the covered entity may use and disclose protected health information about an individual.
- The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.
- The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.
- Whom individuals can contact for further information about the covered entity’s privacy policies.
It is also important to note though that correctional institutions that are covered entities, health care clearinghouses, and group health plans that provide benefits only through one or more contracts of insurance with health insurance issuers or HMOs do not fall under this same requirement.